[Game hacking] Hook move function

Celid · 09/17/2019, 15:23

Hello everyone!
I need to hook the move function of my character in Nostale and use it in c#/c++, can someone help me to do this?

Celid · 09/25/2019, 10:55

Can someone help me?

I've wrote the asm but when I execute it, the game crashes.

Code:

unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		mov eax, myPosition
		mov edx, newPosition
		call walkAddress
        }
}

IceTrailer · 09/25/2019, 18:26

Quote:

Originally Posted by Celid

Code:

unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		mov eax, myPosition
		mov edx, newPosition
		call walkAddress
        }
}

Looks like you use dynamic addresses and no static address. Dynamic addresses vary everytime you run Nostale and allocate new memory.
You have to deduce which address writes to your dynamic address (you have to find the new one) and use then the pointer.

DarkyZShadow · 09/26/2019, 01:16

Quote:
Originally Posted by Celid
Can someone help me?

I've wrote the asm but when I execute it, the game crashes.
Code:
unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		mov eax, myPosition
		mov edx, newPosition
		call walkAddress
        }
}

Remember that declaring your function with "naked" removes the prolog and epilog from it (cf

).
So you have to add the "ret" instruction at the end of your function else your program will continue to execute undefined instructions after the call to "walkAddress".

You can try something like that :

Code:

unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		mov eax, myPosition
		mov edx, newPosition
		call walkAddress
		ret
        }
}

Celid · 09/26/2019, 20:47

Quote:

Originally Posted by IceTrailer

Looks like you use dynamic addresses and no static address. Dynamic addresses vary everytime you run Nostale and allocate new memory.
You have to deduce which address writes to your dynamic address (you have to find the new one) and use then the pointer.

Hello IceTrailer and thank you for your reply,
I don't understand what do you mean, the address I found is a static address.

Quote:
Originally Posted by DarkyZShadow
Remember that declaring your function with "naked" removes the prolog and epilog from it (cf ).
So you have to add the "ret" instruction at the end of your function else your program will continue to execute undefined instructions after the call to "walkAddress".

You can try something like that :
Code:
unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		mov eax, myPosition
		mov edx, newPosition
		call walkAddress
		ret
        }
}

Hello DarkyZShadow and thank you for your reply,
I've added ret at the end but it doesn't work.
I've tryed also to set all the registers as they normally are before calling the function but steel it doesn't works.

DarkyZShadow · 09/26/2019, 22:54

Quote:

Originally Posted by Celid

Hello DarkyZ and thank you for your reply,
I've added ret at the end but it doesn't work.
I've tryed also to set all the registers as they normally are before calling the function but steel it doesn't works.

How did you do that ? Using PUSHAD/POPFD instructions ? Also, try to save flags (PUSHFD/POPFD).

Code:

unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		; Save registers & flags
		pushad
		pushfd

		mov eax, myPosition
		mov edx, newPosition
		call walkAddress

		; Restore flags & registers: don't forget to reverse the order
		popfd
		popad

		ret
        }
}

If it doesn't work, you probably have a problem when you call the "walk" function (bad address, bad parameters, ...)

Celid · 09/28/2019, 20:54

Quote:
Originally Posted by DarkyZShadow
How did you do that ? Using PUSHAD/POPFD instructions ? Also, try to save flags (PUSHFD/POPFD).
Code:
unsigned newPosition = 0x000A000A;
DWORD walkAddress = 0x00490A40;

void __declspec(naked) ourFunct() {
	__asm {
		; Save registers & flags
		pushad
		pushfd

		mov eax, myPosition
		mov edx, newPosition
		call walkAddress

		; Restore flags & registers: don't forget to reverse the order
		popfd
		popad

		ret
        }
}
If it doesn't work, you probably have a problem when you call the "walk" function (bad address, bad parameters, ...)

I've the move function:

Code:

NostaleClientX.exe+145309 - 6A 01                 - push 01
NostaleClientX.exe+14530B - 33 C9                 - xor ecx,ecx
NostaleClientX.exe+14530D - 8B 55 FC              - mov edx,[ebp-04]
NostaleClientX.exe+145310 - A1 88B78600           - mov eax,[NostaleClientX.exe+46B788] { (0E2AADD0) }
NostaleClientX.exe+145315 - E8 2653FFFF           - call NostaleClientX.exe+13A640

Do you know how can I call It in c++ or in c# when I need to move my char?
For now I've edit the move coords whit memory write (code cave) and when I click my char moves in the right coords.
Now I want to call my function without click in the game.